Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561452 (CVE-2015-5522) - <app-text/htmltidy-20090325-r2 <dev-ruby/tidy-ext-0.1.14-r3: Two Denial of Service Vulnerabilities (CVE-2015-{5522,5523})
Summary: <app-text/htmltidy-20090325-r2 <dev-ruby/tidy-ext-0.1.14-r3: Two Denial of Se...
Status: RESOLVED FIXED
Alias: CVE-2015-5522
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.debian.org/security/2015/...
Whiteboard: C3 [noglsa cve]
Keywords:
: 671452 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-09-25 11:44 UTC by Sylvia
Modified: 2021-06-04 19:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch issued by tidy-html5 fork (11CVE-2015-5522.patch,1.35 KB, patch)
2015-09-25 11:46 UTC, Sylvia
no flags Details | Diff
tidy-ext-0.1.14-r3:20160627-074010.log (tidy-ext-0.1.14-r3:20160627-074010.log,8.52 KB, text/plain)
2016-06-27 08:09 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sylvia 2015-09-25 11:44:14 UTC
This package ships a vulnerable version and need to be patched.
Debian has a patch.

AddressSanitizer: heap-buffer-overflow WRITE of size 1
https://security-tracker.debian.org/tracker/CVE-2015-5522

small file can lead to a 4 Gb allocation; potential DoS
https://security-tracker.debian.org/tracker/CVE-2015-5523



Reproducible: Always
Comment 1 Sylvia 2015-09-25 11:46:12 UTC
Created attachment 412860 [details, diff]
patch issued by tidy-html5 fork

Adresses both CVE's
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792571
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-09-27 13:48:57 UTC
CVE-2015-5523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5523):
  The ParseValue function in lexer.c in tidy before 4.9.31 allows remote
  attackers to cause a denial of service (crash) via vectors involving
  multiple whitespace characters before an empty href, which triggers a large
  memory allocation.

CVE-2015-5522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5522):
  Heap-based buffer overflow in the ParseValue function in lexer.c in tidy
  before 4.9.31 allows remote attackers to cause a denial of service (crash)
  via vectors involving a command character in an href.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-09-27 14:13:28 UTC
Sylvia - Do you want to pick up the package as a proxy maintainer? Please take a look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers and see if you are interested.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-12-23 17:55:31 UTC
This package has no maintainers, and no one is picking it up. Do we want to tree clean?
Comment 5 Pacho Ramos gentoo-dev 2016-01-08 14:11:28 UTC
It has plenty of reverse dependencies that need to be handled first :|
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-04-23 04:48:28 UTC
Pacho, any updates on this?
Comment 7 Pacho Ramos gentoo-dev 2016-04-23 10:40:11 UTC
The package is in maintainer-needed, feel free to apply the patch if possible :/ , I don't have the time for handling all the packages in maintainer-needed, I try to help on them when possible and, as they are orphan, any dev can go ahead and fix them if wanted :|

For this case, I think the only solution is to try to apply the patch, it cannot be treecleaned with so many reverse deps
Comment 8 Hans de Graaff gentoo-dev Security 2016-06-06 05:58:35 UTC
I believe dev-ruby/tidy-ext bundles the tidy code, so I assume it is also affected by these issues.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-06 08:49:46 UTC
Any relation to app-text/tidy-html5 ?
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2016-06-06 17:06:13 UTC
(In reply to Aaron Bauman from comment #9)
> Any relation to app-text/tidy-html5 ?

Please see dev mailing list, some discussion about this there.
Comment 11 Hans de Graaff gentoo-dev Security 2016-06-11 07:27:42 UTC
I have added dev-ruby/tidy-ext-0.1.14-r3 with this patch applied.

While I was at it I also added app-text/htmltidy-20090325-r2 with the patch applied.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2016-06-14 23:44:38 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 13 Hans de Graaff gentoo-dev Security 2016-06-15 19:01:24 UTC
Please test and mark stable:

app-text/htmltidy-20090325-r2
dev-ruby/tidy-ext-0.1.14-r3

ia64, sparc: you need to finish bug 565114 first, or drop stable keywords from dev-ruby/tidy-ext.
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-16 12:33:00 UTC
Both stable on alpha.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-21 11:22:51 UTC
Stable for HPPA.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-21 11:24:48 UTC
Stable for PPC64.
Comment 17 Markus Meier gentoo-dev 2016-06-21 18:29:30 UTC
arm stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-06-27 08:09:08 UTC
Created attachment 438954 [details]
tidy-ext-0.1.14-r3:20160627-074010.log

build log
Comment 19 Agostino Sarubbo gentoo-dev 2016-06-27 08:10:55 UTC
(In reply to Agostino Sarubbo from comment #18)
> Created attachment 438954 [details]
> tidy-ext-0.1.14-r3:20160627-074010.log
> 
> build log

There was a script failure, please do not consider this attachment.
Comment 20 Agostino Sarubbo gentoo-dev 2016-07-01 08:57:31 UTC
amd64 stable
Comment 21 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:32 UTC
ppc stable
Comment 22 Agostino Sarubbo gentoo-dev 2016-07-08 09:04:06 UTC
x86 stable
Comment 23 Agostino Sarubbo gentoo-dev 2016-07-08 10:31:39 UTC
sparc stable
Comment 24 Agostino Sarubbo gentoo-dev 2016-07-08 13:49:51 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 25 Hans de Graaff gentoo-dev Security 2016-07-09 05:06:00 UTC
Vulnerable versions have been removed

Note that the security bug was already closed before that.
Comment 26 Aaron Bauman (RETIRED) gentoo-dev 2016-07-09 05:23:38 UTC
(In reply to Hans de Graaff from comment #25)
> Vulnerable versions have been removed
> 
> Note that the security bug was already closed before that.

Sorry about that.
Comment 27 SpanKY gentoo-dev 2021-06-04 19:28:33 UTC
*** Bug 671452 has been marked as a duplicate of this bug. ***